Tobias, Please see my answer to Lucas, is that viable ? ___ Thanks Lucas I figured this out already. But as I understand PAM puts the credentials in a store for all modules to read from. Where should I do the input of the second password - in my own module ? I considered something like 1. inputting the combined password <normalpw><onetimepw> to the login promt 2. let my onetime password routing kick in first and if remote is on an external net verifying <onetimepw>. If ok modify the stored pw by stripping of the onetime part 3. let the normal auth verify the rest. ___ mvh Claus Bruun -----Original Message----- From: pam-list-admin@xxxxxxxxxx [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of Tobias Schaefer Sent: 9. december 2003 10:54 To: pam-list@xxxxxxxxxx Subject: Re: Additional input (second password) during login > > I wonder if it's possible to fiddle with PAM to allow for > > conditional input of an additional password. I would e.g. like ssh > > login to do an extra prompt for an one time password if the user > > logs in from a non-internal network. > > Hi, > > Sure, one just needs to configure pam.conf (or app.conf) to use other > modules of authentication as well, such as: It's not that easy: In case of ssh you configure pam for sshd on the server machine. But you communicate the password to the client program ssh. Since there is no generic communication mechanism between client and server you cannot present arbitrary questions to the user. You are constrained by the ssh-protocol between client and server. And that does allow for one password. Tobias -- Tobias Schaefer Phone 07071-9457-0 science + computing ag FAX 07071-9457-27 Hagellocher Weg 71-75 D-72070 Tuebingen Email: T.Schaefer@xxxxxxxxxxxxxxxxxxxx WWW: http://www.science-computing.de/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
